In ICSA Labs test, blocked 99 percent of malware based solely on behavior. Blocked no legitimate programs. Suspends suspicious connections until proven legitimate. Can use signature files to enhance its blocking abilities.

Cons

Will not remove malware until it attempts malicious behavior. Can affect system performance.

Bottom Line

If your regular antivirus software misses the next brand-new attack, there's a very good chance TruPrevent will catch it, thanks to its behavior-based scanning.

Last year, Panda Software released TruPrevent, a technology that blocks viruses and other malicious programs strictly based on their behavior, rather than on a threat's signature. Its purpose is to catch viruses and Trojans that are so new your signature-based antivirus software doesn't yet know how to recognize them. The latest build adds new functionality and performed very impressively in lab tests by the ICSA, a well-known security testing and certification group. (It should be noted that although the methodology appears sound, the ICSA testing was contracted by Panda Software. The full report can be found at http://www.icsalabs.com/services/lab_reports/Panda_Public_Evaluation.PDF.). TruPrevent technology is included in all of Panda's security products, but if you want an additional line of defense with other security utilities, you can use the standalone TruPrevent Personal 2.0 to augment your existing antivirus product.

TruPrevent Personal leaves the task of scanning for known viruses to your signature-based antivirus utility. It has a different orientation: It watches every running program and, according to the ICSA tests, nearly always can identify malicious behavior without being tripped up by valid program activity. Just before the actual damage occurs, TruPrevent intervenes, terminates the process, and sends a report to Panda. It checks the found malware against a standard antivirus signature file and, when possible, identifies it by name. When the program detects a suspicious pattern of attempts to connect via the system's ports, it temporarily blocks the program's communication until it can ascertain whether or not the connection is legitimate. This feature is somewhat similar to a personal firewall's program control, but TruPrevent makes all the decisionsyou never have to respond to a pop-up query.

The ICSA testers configured a small network with a variety of server and client systems running TruPrevent Personal. The product's signature file was replaced with an empty file, forcing it to rely strictly on behavior to identify malicious software. The testers then released nearly a hundred malicious programs, including adware, Trojans, scripts, worms, and viruses, into this environment. In every case but one, TruPrevent Personal blocked the malware at the precise point when it actually tried to do something harmful. Of course, even one virus can do a lot of damage, but TruPrevent Personal would normally be used in conjunction with a standard signature-based antivirus program. ICSA Labs also installed a variety of real-world programs and verified that none were falsely identified as malicious. But there was a downside: In exchange for TruPrevent Personal's strict monitoring, you can expect to see other processes you run slowed down by about 10 percent.

To get a feel for the product in our own labs without handling live viruses, we loaded TruPrevent Personal on a machine and then visited three sites known to install spyware. We accepted the ActiveX controls they offered, some of which in turn tried to load additional spyware modules. TruPrevent Personal blocked and removed all of the unwanted applications. In one case it requested a system restart for complete removal. In another, several adware applications kept reappearing, probably launched by an innocuous "buddy process" not itself identifiable as spyware. Another restart put an end to this magical reappearance. Notably, TruPrevent Personal blocked Istbar and Look2Me, which daunted both Webroot Spy Sweeper 3.5 and Norton Internet Security 2005 Antispyware Edition in a test last week.

Next, we attempted to install two popular peer-to-peer file-sharing products. The installation routines for these products generally install numerous "bonus" applications, some of which are considered to be spyware or adware. The file-sharing installations simply didn't get off the ground, as TruPrevent Personal blocked their essential peer-to-peer networking module. If you want to use a file-sharing program, you will need to put it on TruPrevent Personal's exceptions list. We ran a full Spy Sweeper scan after all of this activity. It found a number of file and Registry traces, but didn't find any spyware processes running, which means TruPrevent Personal was successful.

Of course, the fact that TruPrevent Personal was able to report on successfully blocked items by name meant that it was identifying them based on its signature file. We removed the signature file and repeated the tests. As expected, it did not detect the adware and spyware processes; their behavior just wasn't sufficiently malicious without the specific identification provided by the signature file. They didn't overwrite system files, didn't attempt to spread to other computers, didn't open "back doors" to allow other programs access, and so on.

We've decided not to give the product a rating at this time, pending independent verification of the test results by other labs. But from what we've seen, TruPrevent Personal 2.0 can provide a layer of protection against "zero day" attacks that your signature-based antivirus utility may miss. Given the speed with which new viruses spread these days, that protection might be a lifesaver.

Panda TruPrevent Personal 2.0

Bottom Line: If your regular antivirus software misses the next brand-new attack, there's a very good chance TruPrevent will catch it, thanks to its behavior-based scanning.

Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted by readers. By 1990, he had become PC Magazine's technical editor, and a coast-to-coast telecommuter. His "User to User" column supplied readers with tips...
More »